AUSTIN – Texas Attorney General Greg Abbott sent a letter to Texas Insurance Commissioner Julia Rathgeber encouraging the state Department of Insurance to enact new consumer protection and privacy requirements for Obamacare navigators. The attorney general advocated for new state rules in order to prevent fraud and identity theft.

In an August letter to U.S. Health and Human Services Secretary Kathleen Sebelius, Attorney General Abbott and 12 other state attorneys general expressed similar concerns and recommended that federal privacy rules governing navigators be enhanced to help protect consumers. The attorneys general neither received a response from the U.S. Department of Health and Human Services nor have the necessary federal privacy regulations since been established.

“Obamacare navigators have access to Texans’ most sensitive and personal information,” Attorney General Abbott said. “Inexplicably, the federal government has failed to enact safeguards that are necessary to properly protect Texans’ privacy, so I am deeply concerned about the threat of identity theft. Given the Obama Administration’s apparent indifference to the seriousness of these problems, I am thankful that Texas officials are stepping up and moving toward meaningful protections for Texans.”

Attorney General Abbott’s latest concerns with Obamacare navigators and his recommendations to Commissioner Rathgeber to address these concerns are:

CONCERN: The Navigator Standard Operating Procedures Manual (SOP Manual) does not sufficiently train navigators on how to protect consumers’ personal information from improper disclosures and fraud.RECOMMENDATION: The Texas Department of Insurance should consider establishing comprehensive requirements that govern how consumers’ personal information is collected, stored, transferred, and secured, and consider publishing a Texas Navigator Operating Manual.

CONCERN: The SOP Manual provides no detailed “standard operating procedure” for what a navigator is required to do in the event an individual’s private medical, financial or other personal information is inappropriately disclosed.RECOMMENDATION: The Texas Department of Insurance should establish regulations that require navigators to immediately notify the consumer as well as the Texas Attorney General’s Office when an individual’s sensitive personal information has been compromised, stolen or otherwise released to an unauthorized source. Further, the Department should require that navigators receive training on the steps that an individual should take to protect themselves from identify theft in the event their sensitive personal information is compromised.

CONCERN: The SOP manual includes little information about federal or state laws that are violated when an individual’s personal information is disclosed or improperly utilized.RECOMMENDATION: The Texas Department of Insurance should require that navigators receive training on the myriad state and federal laws that were enacted to protect personal privacy and prevent identity theft.

CONCERN: The federal rules governing navigators do not require that navigators be subjected to criminal background checks before they are allowed to obtain and access Texans’ sensitive personal information.RECOMMENDATION: The Texas Department of Insurance should establish a state regulation that requires criminal background checks and prohibits individuals convicted of felonies – or theft-related criminal offenses – from serving as navigators in the State of Texas.

I write regarding the Texas Department of Insurance’s implementation of SB 1795 and proposed state regulations of federal health insurance navigators. It is my understanding that your office has discovered potential insufficiencies with federal regulations governing navigators and is therefore exploring the adoption of state rules that increase protections for Texas health insurance consumers.

Last summer, I identified a number of problems with the federal navigator regulations in a letter to Secretary Sebelius. The concerns that I—along with twelve other state attorneys general— identified in our letter still have not been adequately addressed by the Obama Administration, so
I am hopeful that the Texas Department of Insurance will move quickly to establish state regulations that will protect Texans’ medical privacy.

It is my understanding that your office has identified specific insufficiencies with the federal navigator rules that may need to be addressed via state regulations enacted pursuant to SB 1795. Based upon stakeholder meetings and discussions with interested parties, your office has identified the following notable insufficiencies with federal regulations:

- Inadequate attention to federal privacy requirements under HIPAA.
- No criminal background checks for navigators who will have access to Texans’ most sensitive private information.
- The absence of confidentiality requirements to govern how navigators handle consumers’ personal information.

As you know, the above are just three of the insufficiencies that the Texas Department of Insurance has already identified thus far. We understand that your office is now studying how to address these and other problems and will prepare an outline of insufficiencies that the State will endeavor to address with its own regulations in the absence of improved standards promulgated by the federal government. With that in mind, I wanted to offer concerns identified by the Office of the Attorney General so that you can incorporate them into your review process.

First, as you know, navigators will gain access to Texans’ most intimate personal information.
According to the Health Insurance Marketplace Navigator Standard Operating Procedures
Manual (SOP Manual) published by the Centers for Medicare & Medicaid Services, this personal information includes an “individuals past, present, or future physical or mental health or condition,” tax and financial information, including “[i]nformation about consumers’ incomes, personal finances, debts, deductions and exemptions,” and private employment and family information and histories. Yet, the 200-page federal SOP manual devotes just a handful of pages to instructing navigators how to protect consumers’ personal information from improper disclosures and fraud.

The Texas Department of Insurance should consider establishing comprehensive requirements that govern how consumers’ personal information is collected, stored, transferred, and secured. Further, the Department should consider publishing a Texas Navigator Operating Manual that incorporates all applicable state and federal privacy requirements—including whatever requirements are established by the Department pursuant to its authority under SB 1795.

Second, other than a requirement to report security breaches to the U.S. Department of Health & Human Services and provide “Quarterly Progress Reports” revealing security breaches, the SOP manual provides no detailed “standard operating procedure” for what a navigator is required to do in the event an individual’s private medical, financial, or other personal information is inappropriately disclosed. The Texas Department of Insurance should establish regulations that—consistent with Chapter 521 of the Deceptive Trade Practices Act—require navigators to immediately notify any consumer whose sensitive personal information has been compromised, stolen, or otherwise released to an unauthorized source. Navigators should also be required to notify TDI and the Attorney General’s Office immediately after an unauthorized disclosure of sensitive personal information.

Further, the Department should require that navigators receive training on the steps that an individual should take to protect themselves from identify theft in the event their sensitive personal information is compromised. For example, by informing navigators about the Identity Theft Victim’s Kit published by this office, navigators will know to immediately provide that critical resource to individuals whose sensitive personal information is compromised. Anytime there is an unauthorized disclosure of personal information, it is critical that the victim take immediate action to protect their identity from theft. The Department could facilitate an immediate response by incorporating forms and checklists into a Texas Navigator Operating Manual—and thereby delineate the steps that navigators should follow in the event of an unauthorized disclosure of consumers’ sensitive personal information.

Third, the SOP manual includes little information about federal or state laws that are violated when an individual’s personal information is disclosed or improperly utilized. The Texas Department of Insurance should require that navigators receive training on the myriad of state and federal laws that were enacted to protect personal privacy and prevent identity theft. Such a requirement would help protect both consumers—and navigators, who may not be aware that the Texas Identity Theft Enforcement and Protection Act imposes civil penalties of up to $50,000 on any individual or entity who fails to properly and securely protect a consumer’s sensitive personal information. By incorporating the steps that navigators are required to follow into a Texas Navigator Operating Manual, the Department could ensure that navigators have all relevant statutory requirements at their immediate disposal so that consumers are notified on how to prevent identity theft as soon as possible after an unauthorized disclosure.

Fourth, as your office has already recognized, the federal rules do not require that navigators be subjected to criminal background checks before they are allowed to obtain and access Texans sensitive personal information. The Texas Department of Insurance should establish a state regulation that requires criminal background checks and prohibits individuals convicted of felonies—or theft-related criminal offenses—from serving as navigators in the State of Texas. Further, to promote compliance, the rules should establish a criteria or definition of what constitutes a ‘criminal background check.” The requirements contained in Texas Department of Insurance Rule §1.502(e) under Title 28, Part 1, Chapter 1, Subchapter D of the Texas Administrative Code are illustrative of the types of criminal conduct that could be screened and prohibited under the Department’s state navigator rules.

Obviously, the above referenced issues represent just a handful of insufficiencies that pose a serious threat to the privacy of Texas consumers. Given the severity of the risks posed by inadequate federal navigator regulations, I want to make our Consumer Protection Division and its staff available to provide legal advice and counsel to your office as you contemplate what additional rules and regulations are necessary to protect Texas consumers.

Thank you for your attention and swift action on this very important matter. Please do not hesitate to contact me if we can be of assistance throughout this process.